Описание
An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token.
An improper input validation vulnerability was found in the p2c parameter in the Apache CXF JOSE. This flaw allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token.
Отчет
The improper input validation vulnerability in the p2c parameter of Apache CXF JOSE is considered a moderate severity issue rather than a important one due to its limited scope and impact. While the flaw allows an attacker to specify a large value for the p2c parameter, leading to potential denial of service (DoS) attacks by causing excessive computational overhead, it does not compromise data integrity, confidentiality, or authentication mechanisms directly. The attack vector primarily affects system availability and exploiting this vulnerability requires the ability to send crafted tokens. Base EAP (7.4 and 8) and EAP XP (4 and 5) do not ship this affected CXF jaxrs artifact. cxf-rt-rs-security-jose is part of CXF's JAX-RS, and EAP uses RESTEasy, hence it's not-affected.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Apache Camel for Spring Boot 3 | org.apache.cxf/cxf-rt-rs-security-jose | Affected | ||
| Red Hat build of Quarkus | org.apache.cxf/cxf-rt-rs-security-jose | Will not fix | ||
| Red Hat Fuse 7 | org.apache.cxf/cxf-rt-rs-security-jose | Affected | ||
| Red Hat Integration Camel K 1 | org.apache.cxf/cxf-rt-rs-security-jose | Will not fix | ||
| Red Hat JBoss Data Grid 7 | org.apache.cxf/cxf-rt-rs-security-jose | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 7 | org.apache.cxf/cxf-rt-rs-security-jose | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 8 | org.apache.cxf/cxf-rt-rs-security-jose | Not affected | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | org.apache.cxf/cxf-rt-rs-security-jose | Not affected | ||
| Red Hat build of Apache Camel 3.20.7 for Spring Boot | org.apache.cxf/cxf-rt-rs-security-jose | Fixed | RHSA-2024:6883 | 19.09.2024 |
| Red Hat build of Apache Camel 4.4.0 for Spring Boot | Fixed | RHSA-2024:2707 | 06.05.2024 |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token.
Apache CXF Denial of Service vulnerability in JOSE
Уязвимость компонента JOSE каркаса для веб-сервисов Apache CXF, позволяющая нарушителю вызвать отказ в обслуживании
7.5 High
CVSS3